Deutsches Howto
=Unlock der La Fonera Plus= Diese Anleitung wurde ursprünglich geschrieben von: Giorgio Zarrelli . Editiert und angepasst von: Dema . Die Freischalt-Methode wurde entwickelt von: Lama Bleu. Diese Howto unterliegt der GPL Lizenz ---- Der große und wichtige Haftungsausschluss Der hier beschriebene Vorgang beinhaltet das Überschreiben (Reflashen) des Speichers der La Fonera+. Da dies eine sehr heikle Prozetur ist, übernehmen wir keine Verantwortung für Fehlfuntionen ab, die nach der Anwendenung oder Veränderung oder Verlust der Gerätefunkionalität auftreten. Alle vorgenommenen Änderungen erfolgen also auf eigne Gefahr und eigener Verantwortung. Nun, nachdem dies ggesagt wurde: LASST UNS BEGINNEN ! =Ubuntu Linux Howto= Mit diesem Howto stellt eine Schritt für Schritt Anleitung Freisclatung der La Fonera plus unter Ubuntu Linux dar. Diese Anleitung kann auch mit anderen Linux Distributionen verwendet werden - Mit Ausnahme der spezifischen anzuwendenden Befehle (nicht durch diese Anleitung unterstützt) für den TFTP Daemon oder Sudoer Aktionen. Was benötigt wird: # ein Computer mit funktionierendem Ubuntu Linux (benutzt als Server) # daruf einen LAN-Anschluß für das Ethernet Kabel Serverseitig Zuerst installieren wir den TFTP Daemon auf dem Ubuntu server sudo apt-get install tftpd Da tftpd durch inetd gestartet ist, ist es notwendig, die Datei /etc/inetd.conf wie hier beschrieben zu verändern: sudo nano -w /etc/inetd.conf tftp dgram udp wait nobody /usr/sbin/tcpd in.tftpd /srv/tftp Danach wird das Verzeichnis angegeben, in dem die Image-Datei abgelegt wird, um dem Speicher der Fonera+ zu flashen. sudo mkdir /srv/tftp Jetzt erfolgt die Angabe dieses Verzeichnisses als Zielort der Image-Datei und der Befehl, um diese aus dem Web dorthin herunterzuladen: cd /srv/tftp sudo wget http://eric.levine.free.fr/foneraplus/image.bin Dieser Vorgang kann etwas dauern - es sind ca. 6,5 MB Datengröße. ist das erledigt, so wird openbsd-inetd neu gestartet (warscheinlich wurde es mit tftpd bereits gestartet): sudo /etc/init.d/openbsd-inetd restart Clientseitig Verbinde die La Fonera + und den Client PC (Latop) mit einem Ethernetkabel - verwende die schwarze Netzwerkbuchse der La Fonera+. Weise dem Client PC eine neue Netzwerkadresse zu: sudo ifconfig eth0 192.168.1.254 Jetzt wird ein script erstellt, das eine ARP-Anforderung sendet und auf einen Antwort von 192.168.1.1 (Fonera+) wartet. Das Script reagiert auf eine Antwort per telnet mit dem Senden eines CTRL C Signals. Das Script weist einen kleinen Fehler im tnc Bereich auf, welches die Funktion unterstützt und das aber später breinigt wird. Hier das Schreiben des Scripts: echo 'echo -e "\0377\0364\0377\0375\0006" >break.bin; sudo /usr/bin/arping -f 192.168.1.1; sudo nc -vvv 192.168.1.1 9000 catch_fonera+ Jetzt wird es ausführbar gemacht: chmod u+x catch_fonera+ Zugriff auf den Redboot der La Fonera plus Zu Begin schaltet man die La Fonera+ aus. Nun dieses Script ausführen: ./catch_fonera+ Nach der Eingabe des Ubuntu User passworts wechselt man auf die La Fonera+. Der kleine Router rebootet und Redboot wartet 2 Sekunden auf das Empfangen des CTRL C Signals über die Telnet Session am 192.168.1.1 Ethernet Interface. Folgenden Zeilen sollten nun angezeigt werden: ./catch_fonera+ sudo password for zarrelli: ARPING 192.168.1.1 from 192.168.1.254 eth0 Unicast reply from 192.168.1.1 XX:XX:XX:XX:XX:XX 0.992ms Sent 9 probes (9 broadcast(s)) Received 1 response(s) fonera 192.168.1.1 9000 (?) open Executing boot script in 0.890 seconds - enter ^C to abort ^C RedBoot> sent 6, rcvd 82 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. RedBoot> Achtung: Wenn man die folgenden Zeilen angezeigt bekommt: RedBoot> �� muss man CRTL C über die Tastatur eingeben und erhält darauf ein funktionierendes RedBoot> Einige Kontrollen vor dem Flashen Jetzt wird kontrolliert, ob die FLASH Adressen wie folgt angezeigt werden (das kann mittels Ausgabe des "fis list" Befehles erfolgen): RedBoot> fis list Name FLASH addr Mem addr Length Entry point RedBoot 0xA8000000 0x80040400 0x00030000 0xA8000000 loader 0xA8030000 0x80100000 0x00010000 0x80100000 image 0xA8040000 0x80040400 0x00230004 0x80040400 image2 0xA8660000 0xA8660000 0x00140000 0x80040400 FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0x00000000 RedBoot config 0xA87EF000 0xA87EF000 0x00001000 0x00000000 Die Zeilen oben müssen genau verglichen werden - die Ausgabe muss dem genau entsprechen. Jetzt werden weitere Kontrollen durchgeführt. RedBoot> x -b 0xa8040000 -l 32 A8040000: 00 21 BF DE A2 14 D3 9B 00 0A 50 34 6D 00 00 80 |.!........P4m...| A8040010: 00 FF FF FF FF FF FF FF FF 00 04 02 48 80 0E 0F |............H...| und weitere... RedBoot> x -b 0xa8250000 -l 32 A8250000: 1E 5E B5 70 5D FA DE 16 AE 98 85 61 87 D5 E2 09 |.^.p]......a....| A8250010: D2 C1 70 A0 DD F6 2A 30 7F C8 5E 0B 00 DF 50 0A |..p...*0..^...P.| Nochmals wichtig zu wiederholen: Wenn die exakten Werte hier wie auch in der Anzeige erscheinen, sollte der Falsh durchführbar sein. Image Datei auf die La Fonera+ laden mittels TFTP In nächsten Schritt wird mittles TFTP die Image-Datei vom PC auf die La Fonera+ geladen und ein Checksummentest durchgeführt. Flashing We are at a dangerous step, reprogramming the FLASH memory: Bestätigen Sie mit "y" wenn die Frage gestellt wird, um das Flashen fortzusetzen. Resetten Ok, wir sind fertig! Der letzte Befehl löst den Reset aus und startet die nen FREIE Fonera+: RedBoot> reset Letzte Einstellungen und Kontrollen Nachdem die La Fonera+ rebootet hat, verbindet man mit dem privaten WLAN (AKA MyPlace) und verwendet SSH, um zur Fonera+ zu verbinden: zarrelli@moveaway:~$ ssh -l root 192.168.10.1 The authenticity of host '192.168.10.1 (192.168.10.1)' can't be establish RSA key fingerprint is 5c:d3:42:ed:52:6d:c0:c6:fb:ec:84:57:18:24:d7:be. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.1' (RSA) to the list of known host root@192.168.10.1's password: BusyBox v1.4.1 (2007-09-03 10:39:50 UTC) Built-in shell (ash) Enter 'help' for a list of built-in commands. ______ __ /\ ___\ /\ \ \ \ \__/ __ ___ __ _ __ __ \_\ \___ \ \ _\/ __`\ /' _ `\ /'__`\/\`'__\/'__`\ /\___ __\ \ \ \/\ \L\ \/\ \/\ \/\ __/\ \ \//\ \L\.\_ \/__/\ \_/ \ \_\ \____/\ \_\ \_\ \____\\ \_\\ \__/.\_\ \ \_\ \/_/\/___/ \/_/\/_/\/____/ \/_/ \/__/\/_/ \/_/ -------------- Fonera 1.5 Firmware (v1.1.1.1) ----------------- * Based on OpenWrt - http://openwrt.org * Powered by FON - http://www.fon.com ----------------------------------------------------- root@OpenWrt:~# Ohhhhh...la Fonera+ è aperta.... Wow!!! Die Fonera+ ist jetzt FREI! <-------------- vorläufiges Ende der deutschen Übersetzung --------------> =Windows howto= With this howto we will guide you through a the step by step method for unlocking La Fonera plus using Windows. What you need # one computer running Windows 2000 or Windows XP or Vista (bleah) # one ethernet cables patch Swiss-knife for Window$-fonero We strongly suggest to install following tools for Windows users : TFTPD32.exe to access RedBoot and upload your image file to the Fonera+. Last version 3.23 is only 480 kB size, download page is here. Autor's homepage is here (also DHCP server, Syslog..) Another freeware TFTPD server can be downloaded on sourceforge.net here PuTTY is a client terminal which supports telnet, SSH, SSH-tunneling and serial connections, all that we need for La Fonera+. Official PuTTY page is here For download page we suggest to download full installer package "A Windows installer for everything except PuTTYtel" WinSCP is also a good tool to transfer files to/from your Fonera+ and also editing files ( vi editor is not implemented on the Busybox compiled by FON ) The server side First switch-off your LaFonera+ ! Install PuTTY with default settings. Copy TFTPD32.EXE to your Windows Desktop We need assign to LAN a static IP for the computer on which TFPTD32 is installed. Open your control panel, network connections, and set your IP address to 192.168.1.254, netmask 255.255.255.0 If your computer is normally running with static IP, please write your config on a little post-it first ! Or use advandced configuration for TCP/IP protocol and add a second IP address to your ethernet interface. As it is not easy to access RedBoot console, just launch a in a MS-DOS background windows a permanent ping to your Fonera+: Start Menu/Run and type : cmd (plus Enter ..) ping -t 192.168.1.1 Don't worry when you receive the message "Host is not responding" or similar.. Accessing RedBoot Not easy to access RedBoot, perhaps some scripts can help you on this NSLU2 excellent page Just few seconds after booting your Fonera+ you must start a telnet connection to your Fonera+ on 192.168.1.1 port 9000. By default RedBoot is listening on port 9000 only 2 seconds before normal kernel boot. Launch PuTTY configuration and use this screen-copy to configure it. Parameters to configure : "Host name (or IP address): 192.168.1.1", "Port 9000", and for connection type check "Telnet" You can save this configuration ( in this example fill "RedBoot" or "Fonera+" for "saved sessions", then click "Save". Now try to connect RedBoot, but be very prompt and synchrone !! Only 2 seconds from starting ! - manage your windows on the screen to see simultaneously "MSDOS ping -t" and PuTTY connection window. - power-on your LA Fonera+, click "Open" button on PuTTY screen. - as you see from "ping windows" : "reply from 192.168.1.1" , press Enter and immediately CTRL-C on your keyboard. OK ! You've got the prompt for RedBoot like this ! Most complicated task is done now ! Executing boot script in 0.890 seconds - enter ^C to abort ^C RedBoot> If your Fonera+ seems to boot normally and you can't acces RedBoot, please re-try. Some checkings before flashing Now, do check if you FLASH addr are shown as those following (you can do it by issuing "fis list" command): RedBoot> fis list Name FLASH addr Mem addr Length Entry point RedBoot 0xA8000000 0x80040400 0x00030000 0xA8000000 loader 0xA8030000 0x80100000 0x00010000 0x80100000 image 0xA8040000 0x80040400 0x00230004 0x80040400 image2 0xA8660000 0xA8660000 0x00140000 0x80040400 FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0x00000000 RedBoot config 0xA87EF000 0xA87EF000 0x00001000 0x00000000 Take a sharp look to the above output , you should get exactly the same values in your screen. Now we make some other checkings RedBoot> x -b 0xa8040000 -l 32 A8040000: 00 21 BF DE A2 14 D3 9B 00 0A 50 34 6D 00 00 80 |.!........P4m...| A8040010: 00 FF FF FF FF FF FF FF FF 00 04 02 48 80 0E 0F |............H...| and another one RedBoot> x -b 0xa8250000 -l 32 A8250000: 1E 5E B5 70 5D FA DE 16 AE 98 85 61 87 D5 E2 09 |.^.p]......a....| A8250010: D2 C1 70 A0 DD F6 2A 30 7F C8 5E 0B 00 DF 50 0A |..p...*0..^...P.| Once again , if you get exactly the same values on your screen , you should be able to perform the flashing. Now it's time to load the file to RAM of the La Fonera+ Loading the image to la fonera with tftp Let's prepare the TFTPD32 server. Launch TFTPD32.EXE, and as in this example, create a new directory C:\local (the server root directory) Change parameters : Current directory : C:\local Server interface : select 192.168.1.254 if necessary. Download and unzip this file to C:\local Now it's time to tftp the image.bin file from you PC to the Fonera+, and verify checksum: A pop-up will appear on TFP32D during transfer Flashing We are at a dangerous step, reprogramming the FLASH memory: Answer "y" when it asks you to continue flashing the memory. Important note : while pressing "y" to accept flash process, your Fonera+ stop to answer pings on background MSDOS windows. Message "Erase from 0xa8260000-0xa8650000: ." and remaining dots don't appear. Don't worry, don't reboot just wait few minutes. Ping will answer, remaining text will be displayed on your screen. Each dot is 64 kB memory-block. Scrolling is correct while flashing from serial port. Resetting Ok, you are done! The last command is a reset, to reboot your new FREE Fonera+: RedBoot> reset Final settings and checkings As the Fonera+ reboots, connect to your private wireless network (AKA MyPlace), or with ethernet cable, and use SSH to step in your Fonera+. If your Fonera+ is connected to WAN (internet), wait Power LED becomes to green before SSH to it. If no WAN connected, wait 2 minutes. As in first step, create a new profile in PuTTY to connect your Fonera+ Parameters to configure : "Host name (or IP address): 192.168.10.1" . For connection type check "SSH", port number will toggle to "22" You can save this configuration : choose a name for "saved sessions", then click "Save". Click "Open". This is first connection, so accept PuTTY security alert below) You get the login prompt, default password for "root" is "admin =MacosX howto= in this sections we will guide you in the unlocking process under MacosX . This is my laptop OS , so I can guarantee upon direct testing that it works like a charm. What you need # one computer running MacosX # one ethernet cable patch The server side We need to install the Tftp program. I choose a very easy to use tftpserver. It's called tftpserver (doh!) and you can grab it here. Once installed , open a terminal (yes macosx is fun also with terminal) and type cd mkdir tftp to create the tftp directory. Now open the tftpserver program and change path to the tftp directory which you created in your home. Back to the terminal and grab the image file for flashing la fonera cd cd tftp wget http://eric.levine.free.fr/foneraplus/image.bin Wait a while, it's 6.5 Mb of stuff. now we can click on start TFTP in the tftpserver window The Client side Take a network cable, plug one end in the Fonera+ (black hole) and the other end in the ethernet port on your macbook(pro) or Imac or MacPro or Minime. Time to give your Mac a new network address: sudo ifconfig en0 192.168.1.254 And now let's create a little dirty script. It will arp the network waiting for 192.168.1.1 (the Fonera+ to answer). As it answers, the script will telnet on it and send a CTRL C signal. Look, there's a tiny error in the script, in nc section, just to force the things to work. I will look later how to fix it. Anyway, it works. Let's create the script: echo "echo -e "\0377\0364\0377\0375\0006" >break.bin; sudo /usr/bin/arping -f 192.168.1.1; sudo nc -vvv 192.168.1.1 9000 catch_fonera+ Time to make it executable: chmod u+x catch_fonera+ Access redboot of la Fonera plus At this point, switch off La Fonera+. Now execute the script: ./catch_fonera+ Fill in your Mac user password and switch on the Fonera+. This little box will boot up and RedBoot will wait for 2 seconds to receive a CTRL C signal through a telnet session on his 192.168.1.1 ethernet interface. Here what you will likely see: ./catch_fonera+ sudo password for zarrelli: ARPING 192.168.1.1 from 192.168.1.254 eth0 Unicast reply from 192.168.1.1 XX:XX:XX:XX:XX:XX 0.992ms Sent 9 probes (9 broadcast(s)) Received 1 response(s) fonera 192.168.1.1 9000 (?) open Executing boot script in 0.890 seconds - enter ^C to abort ^C RedBoot> sent 6, rcvd 82 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. RedBoot> Be careful: as you will see the following line: RedBoot> �� strike CRTL C on your keyboard and you will receive a working RedBoot> prompt. Some checkings before flashing Now, do check if you FLASH addr are shown as those following (you can do it by issuing "fis list" command): RedBoot> fis list Name FLASH addr Mem addr Length Entry point RedBoot 0xA8000000 0x80040400 0x00030000 0xA8000000 loader 0xA8030000 0x80100000 0x00010000 0x80100000 image 0xA8040000 0x80040400 0x00230004 0x80040400 image2 0xA8660000 0xA8660000 0x00140000 0x80040400 FIS directory 0xA87E0000 0xA87E0000 0x0000F000 0x00000000 RedBoot config 0xA87EF000 0xA87EF000 0x00001000 0x00000000 Take a sharp look to the above output , you should get exactly the same values in your screen. Now we make some other checkings RedBoot> x -b 0xa8040000 -l 32 A8040000: 00 21 BF DE A2 14 D3 9B 00 0A 50 34 6D 00 00 80 |.!........P4m...| A8040010: 00 FF FF FF FF FF FF FF FF 00 04 02 48 80 0E 0F |............H...| and another one RedBoot> x -b 0xa8250000 -l 32 A8250000: 1E 5E B5 70 5D FA DE 16 AE 98 85 61 87 D5 E2 09 |.^.p]......a....| A8250010: D2 C1 70 A0 DD F6 2A 30 7F C8 5E 0B 00 DF 50 0A |..p...*0..^...P.| Once again , if you get exactly the same values on your screen , you should be able to perform the flashing. Loading the image to la fonera with tftp Now it's time to tftp the image.bin file from you PC to the Fonera+ and verify checksum: Flashing We are at a dangerous step, reprogramming the FLASH memory: Answer "y" when it asks you to continue flashing the memory. Resetting Ok, you are done! The last command is a reset, to reboot your new FREE Fonera+: RedBoot> reset Final settings and checkings As the Fonera+ reboots, connect to you private wireless network (AKA MyPlace), and use SSH to step in your Fonera+: zarrelli@moveaway:~$ ssh -l root 192.168.10.1 The authenticity of host '192.168.10.1 (192.168.10.1)' can't be establish RSA key fingerprint is 5c:d3:42:ed:52:6d:c0:c6:fb:ec:84:57:18:24:d7:be. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.10.1' (RSA) to the list of known host root@192.168.10.1's password: BusyBox v1.4.1 (2007-09-03 10:39:50 UTC) Built-in shell (ash) Enter 'help' for a list of built-in commands. ______ __ /\ ___\ /\ \ \ \ \__/ __ ___ __ _ __ __ \_\ \___ \ \ _\/ __`\ /' _ `\ /'__`\/\`'__\/'__`\ /\___ __\ \ \ \/\ \L\ \/\ \/\ \/\ __/\ \ \//\ \L\.\_ \/__/\ \_/ \ \_\ \____/\ \_\ \_\ \____\\ \_\\ \__/.\_\ \ \_\ \/_/\/___/ \/_/\/_/\/____/ \/_/ \/__/\/_/ \/_/ -------------- Fonera 1.5 Firmware (v1.1.1.1) ----------------- * Based on OpenWrt - http://openwrt.org * Powered by FON - http://www.fon.com ----------------------------------------------------- root@OpenWrt:~# Ohhhhh...la Fonera+ è aperta.... Wow!!! Your Fonera+ is now FREE! = Final settings, tweaking (all OS)= Updating personal config from FON Just after flashing your Fonera+ will reset with factory default settings. You can verify this going into your HTTP console on 192.168.10.1 To update your config log-on to www.fon.com, and access userzone. Select your router, and update WiFi private and public SSID names. If you don't want to change the name, please just change one letter, click on "update" button, and change again to the right name. For the private WLAN: change the WEP/WPA key encryption using the same method. Fon.com servers will send the new config to your Fonera+. Wait few minutes and check in your local HTTP console. You don't need to reboot. Registered or not ? If your Fonera+ has been registered before the SSH-unlock, check on your local HTTP console status if all is OK. If logo displayed is "your Fonera+ has not been registered", it is important to change this parameters to give access to users on your public WLAN. To do this, open SSH console : echo 1 > /etc/config/registered Reboot your Fonera+, connect again to your HTTP local console, and verify the change to the logo: " Your Fonera is registered OK" IPK packages Installing packages Official kernel version compiled for firmware 1.1.1r1 is 2.6.19.2. You can install ipk packages from this OpenWRT repository : http://downloads.openwrt.org/kamikaze/7.06/atheros-2.6/packages except for kmod-* packages. kmod packages must be installed from original FON compilation Here you can find a temporary repository for these kmod-*-fonera-1_mips.ipk packages. Sometimes ipkg is very long to run, and memory errors can occur. Tips : "wget" your ipk package to /tmp, and then run it. Kill not needed processes with a "killall" command for : dnsmasq,chilli,fonstate,httpd,fonsmcd,crond,hotplug2,logger,syslogd,klogd,watch_chilli Busybox upgrade Busybox provided in original firmware by FON is very poor. Upgrading Busybox to version 1.4.2-1 will permit you to use "vi" editor, and retrieve colors for displaying files and directories. Perhaps more ! root@OpenWrt:~# cd /tmp root@OpenWrt:~# wget http://downloads.openwrt.org/kamikaze/7.06/atheros-2.6/packages/busybox_1.4.2-1_mips.ipk Connecting to downloads.openwrt.org 195.56.146.238:80 busybox_1.4.2-1_mips 100% |*****************************| 312 KB 00:00:00 ETA root@OpenWrt:~# ipkg install busybox_1.4.2-1_mips.ipk Upgrading busybox on root from 1.4.1-1 to 1.4.2-1... Configuring busybox Done. Installation is about 5 to 7 minutes, be patient. If you get error message : ipkg: fork failed: Cannot allocate memory '', please kill all processes as described in "ipkg installing packages" section Reboot your Fonera+ after upgrading Auto-updates (thinclient) '''FREEWLAN comments welcome !! You have more experience about bricking with auto-update...' Edit the file /bin/thinclient : Comment this line with a starting # like this # . /tmp/.thinclient.sh Insert a new line just after, like this: cp /tmp/.thinclient.sh /tmp/thinclient-$(date '+%Y%m%d-%H%M') Verify : root@OpenWrt:~# thinclient dummy root@OpenWrt:~# ls -l /tmp/th* -rw-r--r-- 1 root root 0 Oct 24 07:45 /tmp/thinclient-20071024-0745 root@OpenWrt:~# Upgrade commands files sent by thinclient are now stored on /tmp. Check messages on FON thematic boards to know if this upgrade will modify or not the firmware. As with classic Fonera, you can launch the upgrade manually. In this example " . /tmp/thinclient-20071024-0745" will start upgrade for hotfix/firmware.